s3 irsa authentication

[clayrisser]

How to authenticate NextCloud with s3 using irsa.

https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/

This is my s3 config

<?php
$CONFIG = array (
  'objectstore' => array(
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' => array(
      'autocreate'     => false,
      'bucket'         => 'some-bucket',
      'endpoint'       => 'some-bucket.s3.eu-south-1.amazonaws.com',
      'region'         => 'eu-south-1',
      'use_path_style' => false,
      'use_ssl'        => true,
    )
  )
);

I didn't add the secret and key because I was expecting irsa to handle it. I have verified by token is mounted to /var/run/secrets/kubernetes.io/serviceaccount.

It is not authenticating with s3. I get the following error from nextcloud when trying to interact with files.

{"ocs":{"meta":{"status":"failure","statuscode":403,"message":"Failed to create file from template"},"data":[]}}

[provokateurin]

I don't think that will work. Nextcloud only reads the config and no environment variables or other files.

[clayrisser]

Can nextcloud add support for irsa?

[provokateurin]

It is not something that will be solved in Nextcloud itself. It would make sense to support it in this Helm Chart in some way. The way to go would be writing a custom config file that reads the file at runtime. Basically what you did already, but adding the secret and key from the file.

[maxemann96]

The following works. Since the aws sdk is used under the hood, which should pickup the credentials correctly.

nextcloud:
  configs:
    s3.config.php: |-
      <?php
      $CONFIG = array (
        'objectstore' => array(
          'class' => '\OC\Files\ObjectStore\S3',
          'arguments' => array(
            'bucket'     => 'BUCKET',
            'autocreate' => false,
            'region'     => 'eu-central-1',
            'use_ssl'    => true
          )
        )
      );
rbac:
  enabled: true
  serviceaccount:
    annotations:
      eks.amazonaws.com/role-arn: ROLE_ARN

[clayrisser]

I've tested this and it does not work. It does not pick up the eks token.

[maxemann96]

It's working like a charm in my case. Have you double checked that the arn is correctly and the permission policy is also correct?

[clayrisser]

@maxemann96 it is not working for me. I get the following error when trying to create a file.

{"ocs":{"meta":{"status":"failure","statuscode":403,"message":"Failed to create file from template"},"data":[]}}

I have verified the following file exists and is readable.

/var/run/secrets/eks.amazonaws.com/serviceaccount/token

[clayrisser]

I tried supplying the key and secret directly to confirm my setup is correct and it works, so it seems to me irsa doesn't work for nextcloud.

It seems to me the PHP s3 client doesn't work with irsa.

[clayrisser]

Also filed the issue here. I'm assuming nextcloud uses the official PHP s3 client.

https://github.com/aws/aws-sdk-php/issues/2872

[clayrisser]

@maxemann96 I got it to work. As you suggested, it was a misconfigured role.